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Abstract 

We suggest an attack on a symmetric non-ideal quantum coin-tossing protocol 
suggested by Mayers Salvail and Chiba-Kohno. The analysis of the attack shows 
that the protocol is insecure. 

1 Introduction 

The subject of two party quantum cryptography has had many twists and turns and until 
now security was proven only for very weak tasks like quantum gambling 0] and cheat 
sensitive bit commitment ||^, while many two party tasks such as bit commitment [Q, 
, ideal coin tossing and secure two party computations were proven insecure. 

Recently, however, Mayers, Salvail and Chiba-Kohno suggested a protocol, called there- 
after MSC(99). They claimed this protocol may achieve unconditionally secure non-ideal 
coin tossing. 

Coin tossing is a task in which two remote distrustfull parties conventionally called 
Alice and Bob run a protocol that, in the case that both parties act honestly, has equal 
probability to give the result 1 or 0. The protocol has another result abort which is 
not obtained when both parties act honestly (except with a possibly arbitrarily small 
probability). Therefore when abort is obtained the interpretation of an honest player 
is that the other party deviated from the protocol. A protocol that satisfies the above 
conditions is called correct. 
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Let pb{ where 6 = 0, 1) be the probabihty that the resuh b is obtained. A non-ideal 
exact coin tossing protocol is called secure if, in the case that one of the parties cheats, 
(i.e. deviates from the given protocol) the following condition: ph < 1/2, is satisfied. A 
non-ideal non-exact coin tossing protocol is called secure if, in the case that one of the 
parties cheats, the following requirement is satisfied: Pb < | + where is a security 
parameter that can be made arbitrarily small. 

The idea behind MSC(99), which is a non-ideal non-exact coin tossing protocol, is to build 
a protocol where both parties have almost no information, on the completely random 
output at first. As the protocol proceeds, they get in a slow and almost symmetric way 
more and more information about the result , until both have full information on the 
output. Such a protocol is supposed to overcome the generalized attacks used against 
quantum bit commitment since, although at first a cheater can change the result without 
being detected, he has no information about the result and therefore any change would 
be useless. While at the end of the protocol, a cheater may have information about the 
protocol's result but it will be almost impossible for him to change the result undetected. 
In this letter we will analyze the information flow in MSC(99) and suggest an attack 
on MSC(99) in which the cheater acts honestly on the quantum level (keeps everything 
possible in a superposition) until he can obtain enough (but not to much) information 
about the protocol's result. He then makes the measurement and causes the superposition 
to "collapse" according to the information he obtains and his desired result. This attack 
is a generalization of the standard attacks on quantum bit commitment and can be 
carried out by any participant as long as the protocol is symmetric. This attack on 
MSC(99) creates a non negligible bias on the protocol's output that is independent of 
the parameters of the protocol and therefore shows that the protocol is insecure. 

2 Distinguishability measures 

In what follows will shall use the following results from quantum information theory. 
Given a quantum system whose density matrix is, with equal probability, one of two 
possible density matrices po,pi G Hi and asked to decide which one we were given, the 
measurement that minimizes the error probability of the decision is a measurement of 
the observable and the probability of error is: 



1^. Another important quantity is the Kolmogorov distance, which is defined in the 
following way: 



PE{po,Pi) 



11, 

-- -tr\po- pi\, 
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where the maximization is done over all possible POVM's. The connection between these 
two quantities is the following: 



K{pQ,pi) = ]^tr\pQ- pi\. (3) 

This shows that the measurements that optimizes K and PE (which we call Ek ) are 
identical. Therefore the Kolmogorov distance quantifies the deviation from a random 
guess giving it a well defined operational meaning, . 

The transition probability of two density matrices po. Pi is defined as 

P{pQ,pi) = max\{'4)Q\'4)i)\^, (4) 

where |'?/'o), 1"^!) G TYi ® 7^2 are purifications of po,Pi and the maximization runs over 
all possible purifications of Po,Pi- Moreover, we can fix the purification of one density 
matrix and do the maximization over all purifications of the other [^. Since different 
purifications of a density matrix in Tii are related by unitary transformations on 7-^2 the 
maximum can be obtained by maximizing over unitary transformations on \tpo) or 
in 7-^2 alone. 

Another important quantity is the fidelity of two density matrices which is defined by: 



Fipo,Pi) = minJ2 \Jir{poE^)Jtr{piE^) (5) 



where we minimize over all possible POVM's. It was shown in |TT| that the fidelity can 
be written explicitly as 



F{po, Pi) = trJ v^piv^ (6) 



and in [12] it was proven that the fidelity is related to the transition probability through: 



F(po,Pi) = V^(po,Pi). (7) 



3 The suggested attack on MSG (99) 

Let us, following MSC(99), define the normalized qubit states ip{0) = c|0) + s\l) and 
ip{l) = c|0) — s|l) where c, s are real numbers. Let ^{bj) = where bj G {0, 1}. 

A two element POVM with results {cj; _L} where cj G {0, 1}, is defined in the following 
way Ec^ = |$(cj))($(cj)|, Ej: = 1 — Ec^ Whenever the result ± is obtained the result 
of the protocol is abort. 
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We will now describe in detail an explicate attack on the MSC(99) protocol. We assume 
w.l.o.g that the cheater, whom we call Bob*, wishes to create a bias towards and that 
Alice is acting honestly throughout the protocol. We assume for the sake of simplicity 
that when both participants act honestly the probability for ± is 0. In the parenthesis 
we shall describe what an honest Bob does according to MSG (99). 

Step 1 For j = 1, . . . , m do: 

Alice chooses randomly a bit aj G {0, 1}. 
Bob* does nothing. 

(Bob chooses a random bit 6^ e {0, 1}. ) 



Step 2 For i = 1, . . . , n do: For j = 1, . . . , m do: 

Alice uniformly picks at random a bit Cy and sends a pair of qubits in the state 

Bob* picks at random a bit dij and prepares the following entangled state 

-1 m n 

V ^ b j=l i=i 

where the are 2"* orthogonal vectors in the Hilbert space TYb, \h) — 

®r=i\h)- 

Bob* sends Ahce the state p = trB\Ti){ri\. 

(Bob uniformly picks a random bit d^j and sends a pair of qubits in the product 
state %l){dij)%l){dij).) 



Step 3 For i = 1, . . . ,n do:For j = 1, . . . , m do: 

Alice announces Cij = aj © Cij and Bob* returns the second qubit at position 
if Cij — and the first qubit otherwise. The Hilbert space of the qubits Bob* sends 
back will be called Haba, and the qubits that Bob* keeps belong to the Hilbert 
space Hab- 

Bob* announces fij = dij and Alice returns the second qubit at position if 
fij — and the first qubit otherwise. The Hilbert space of the qubits Alice returns 
is Hbab- The Hilbert space of the qubits Ahce keeps is Hba- 
At this stage, the qubits in TCab, for every j are in the state $(aj). The qubits 
in 'Hab A are in the state $(aj). The mn qubits in TisAB are entangled with 
the mn qubits in T-Lba and with the register in TCb- Let us define: — 
<S>]Li ^{bj)A^{bj)B then the entangled state shared by Ahce and Bob* is: 
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(Bob announces fij = bj © dij and Alice returns the second qubit at position 
if fij — and the first qubit otherwise.) 

Step 4A For j = 1, 1 do: 

Ahce announces aj, Bob* executes the POVM [E^^E^^) on $(%) notes the out- 
come hj and if cij = _L the protocol aborts. 

Bob* measures the following two element POVM Dq = |0)(0| and Dl = |1)(1| in 
Hb on the j-th qubit. If he gets the result Dq he announces bj = and if he receives 
the result D{ he announces bj — 1. Alice executes the POVM {Ei,.,E^^ on $(6j) 

if the outcome is bj — ± the protocol aborts. 

At this stage the entangled state in 'Hba®'Hbab ^Tis is: 

W')-^^i:\H^')BA,BAB\b')B (10) 

where b' G {0, l}™"^'. 

(Bob announces bj, Alice executes the POVM {Ei,^,E^.) on $(6j), if the outcome 
is bj = _L the protocol aborts.) 



Step 4B For j = I do: 

Ahce announces ai Bob* executes the above POVM on $(a;) and if a/ = _L the 

protocol aborts. 

Let: 

Pcik)-^ E ((8)*(%)*U%)) (11) 

{a*=|e7Lfeai=0} 0=k 
-1 m 

Pcik) = ^, E ((8)^(«.)^U%)) (12) 

{a''\®]l^aj=l} j=k 

where C E {A, B} and G {0, l]-™-'^. Bob* measures the remaining {m — {l + l))n 
qubits in Has with the POVM that distinguishes maximally between p^{l + l) and 
p^^{l + 1) and obtains the result A" G {0, 1}. 

Bob* then measures the following POVM on Tis 

Fo- E \b"){b"\ (13) 

{6"|e-,6i=0} 

and 

Fi= E \b"){b"\ (14) 
{b"\(Bf^^b,=l} 
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where h" G {0, and obtains the result F G {0, 1}. Bob* calculates the 

following expression X = ©j^^aj ©j=i bj®A"(BF. At this stage the state entangled 
between Bob* and Alice is the following: 

\V"{F)) = -L= \K')BA,BAB\b")B (15) 

and the state in Hba is p^{l) = TrB,BAB{\i\F)){i\F)\). 
If X = 0, Bob* measures the POVM with the elements 

B^„ = \h"){h"l (16) 



where h" = {b"\ (BjLi bj = F}. Bob* obtains the result b" and announces fef. 
If X = 1 Bob* does the following: 

We know from (^) that: 

« = PipUl),p'Bil)) = max I {v"mUBV"iF)) \' (17) 

where maximization is done over all unitary transformations Ub in T-Cb- Let be 
the transformation that achieves the maximum, then U^\rj"{F)) can be written in 
the following way: 



U*bW\F)) = ^e''\i]"{F)) + Vl^e''P\r^"{F)) 



u 



E Wv)BA^BAB\b")B 



')m—l 

{b"\(B]lfy=F} 



+VT^e"^\ri"{F)). (18) 

Bob* applies the transformation f/^ on Ub, and measures a POVM with the ele- 
ments B^'„, where b" = {b"\®f^ib'- = F}. When Bob obtains the result 9' = b'l ... 6^ 

he announces 6". Otherwise he chooses randomly a V' where (B^^fi'l = F. 

Alice executes the POVM {Eb^, E^J on the l-th qubit if the outcome is 6/ = ± the 

protocol aborts. 

(Bob announces bi. Alice executes the POVM {E^.E^j) on ^(bi) if the outcome is 
bi = 1. the protocol aborts.) 

Step 4C For j = / + 1, . . . , m do: 

Alice announces aj Bob* does nothing. 

Bob* announces b'- if X = or fo) if X = 1. Ahce executes the POVM {Eb^,Ei\) 
on the j-th qubit, if the outcome is bj = _L the protocol aborts. 
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The result of the coin tossing will he X ^ ©'=1% % ®f=i h = ©j=i% ® 

A" ©5-\ 6,- e B. 

(Bob announces fej. Alice executes the POVM (£^6^, E^^^) on if the outcome is 
hj — ± the protocol aborts.) 

Step 5 For j — 1 . . .m do: 

Alice measures the state ^{dj) returned by Bob* at position j with the POVM 

, E^^) and if the outcome is _L the protocol aborts. 
Bob* measures the state returned by Alice at position j with the POVM 

{Ei^., E^ ) and if the outcome is _L the protocol aborts. 

(Bob measures the state ^{bj) returned by Alice at position j with the POVM 
{Ef^.,E^) and if the outcome is _L the protocol aborts.) 

4 Analysis of the attack 

Let us calculate the bias Bob* created on the distribution of the correct results (0, 1) of 
the protocol . In order to obtain this bias we must calculate what is the probability that 
the result of the coin tossing is and that the protocol is found to be correct. This will 
be in our case p{X — 0) because for 2; e {0, 1, ±} we have that 2; ® ± = ±. 

The probability that the result of the coin tossing is or ±, is the same as the probability 
that A" = A", because whenever Bob* obtains an error at step 4B the protocol's result 
is 1 or _L. This probability is: 

p(A" = A") = 1 - PE(p%{l + 1),pUI + !)) = !- PE'+\po,pi). (19) 

Since we assume Alice is acting honestly,and until step 4B Bob* always gives Alice results 
that coincide with what Bob would have told her, ( With probability one the protocol 
does not abort until that step, since we assumed that the honest protocol aborts with 
probability zero.) therefore the probability that the protocol succeeds is: p{X ^ ±) = 
p{B 7^ -L). In the case Bob* obtains in step AB X — 0: 

p{By^±) = J2pib" = b") 

b" 

= T.:^i\{b''mb^')W'{F))\'^l. (20) 
b" ^ 

If the result Bob* obtains in step 4B is X = 1 the probability that the protocol succeeds 
will be : 

p(S^±) = ^p(6" = 6") 

b" 



7 



= T.^mmb^')\UB{W'{F)))\' (21) 

b" 

> u = P{p\{l),p\{l)) = {F\po,p,)f. (22) 

Bob obtains the results 0, 1 for A" with probabihty |. Therefore we obtain the following 
expression for the probability Bob* cheats successfully: 

p(X = 0) > ^p(A")p(i" = A")p(5 7^ ±) 

A" 

= lil-PE^^\po,Pi)il + iF\po,p,)n (23) 



The next step is an explicit calculation of (|23|). The probability of error in guessing the 
parity bit of a string of q bits with parameters c,s was found in to be: 

PE'^{po,Pi)=^-^^^^. (24) 



The fidelity between the two density matrices was calculated in [0 with the result: 
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Fi{po,pi)= J2 \u ^ |c2(™-''-^)s2'=-c2V("^-'?-^)|. (25) 



fc=0 



Unlike the case of and |T3[, in MSC(99) the quantum states that represent the two 
possible values of the bit |$(0)), |$(1)) belong to H^" . However they span a two di- 
mensional Hilbert space Ti' therefore we can define c'^ — s'^ = (c^ — s^)" and write 
|$(0)) = c'|0') + s'|l'), |$(1)) = c'|0') - where |0'), are two orthogonal vectors 
in Ti.'. Therefore we can use the results of H and iTBI to write that: 



p{X = 0) > ^(l + (2cV)™~('+^); 



(1 + (E ["^u M|c'2(™"'-'=)s'2'=-c'2V2('"-'~'=)|)2). (26) 
k=o \ ^ / 

A good approximation (for large m — l) of this expression can be obtained in the following 
way: Let us define t = s'"^, one easily recognizes that (^) is the statistical overlap of 
two binomial distributions with mean t and 1 —t. Since, the transformation k —>■ m — k, 
transforms one distribution to the other we can write 

F'ipo,p,) = 2± (^-y'^il-tr-^-'^-l. (27) 
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Using the following theorem |n 



E 



k<nt+ay/t{l-t)n 



(28) 



we have that 



2 r ^ , 

e 2 dx — 1 

TT J-oo 



(29) 



where a = / ("^ ^)(^ ^ Therefore t = 4 



if t < 1 - t, and t = | + 



4{l-t)t • -^^^^-^^^^-^^ 2 2Vm-i+a2 " _ "^^^ 2 ' 2v'm-;+a2 

ii t > 1 — t. This leads to the following bound for the fidelity 



F'{po,pi)^Erf{ 



a , 
71^ 



(30) 



For large m — I , we can simplify the probability that Bob* guessed correctly the result 
of the protocol at step Z + 1 in the following way: 



l-PE'+\po,pi)>l-PE\po,pi) 



l + (4t(l-t)) 



m — Z 
2 



1 + (1- 



-,,2 . m — l 



m—l-\-a'^ 



l + e— 



-4i(l-t) 



> 



1 + e— 



(31) 
(32) 



Therefore the probability the protocol's result is is: 



P{X = 0) 



(l + ir)(l + (Er/(y^CT))2) 



(33) 



In MSC(99) (and in any reasonable coin-tossing protocol) K varies between a very small 
number in the beginning of the protocol, ( (1 — (c^ — s2^2iogAf^M case) to very close 

to one at the end of the protocol, (1 — (c^ — s2^2iogA/ case)since K quantifies the 

participant's knowledge about the protocol's result. Figure 1 (below) shows that Bob*'s 
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bias is larger then 1/2 for all < < 1 and that it reaches it's maximum 0.09195 when 
K = 0.510964. 



Bias 
O.lr 



Fig 1. Bob*'s bias during the protocol 

These results do not depend on the parameters (c,s,n,m) of the protocol, (as long as m is 
large enough and c not to close to 1/2 which are necessary for the protocol to be secure 
and correct.) the bias created by Bob* is intrinsic to the information fidelity tradeoff 
of the parity bit problem. In addition it gives us a constructive answer when should 
a cheater attack in order to the obtain maximum bias for our attack. If we use the 
parameters suggested in MSC(99) (c^ — = cos|, n = logm ,m) a simple calculation 
shows that the optimal attack is when / = ^ogo.5io964 ^j^^ ^ ^^^^^ have not been 

revealed. 

It is important to note that we have not claimed that this attack achieves maximum 
bias. The attack we suggested is oblivious to the exact structure of the density matri- 
ces p^lk), p^{k), therefore it is possible that a cheater can create a larger bias on the 
protocol's result by taking the structure of these density matrices into consideration. 



5 Conclusion 

The results obtained above do not completely obliterate the possibility of achieving a 
secure quantum coin tossing using a slow symmetric protocol such as MSC(99). The 
attack we suggested on such protocols shows, that protocols using this method must 
take great care of the tradeoff (such as in (p3|)) between the information a participant 



can obtain about the protocol's result and the fidelity between the density matrices 
representing the protocol's possible results, during the course of the protocol. 
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